Servers that run the framework are by default vulnerable to remote code attacks.

Hundreds of thousands of websites are potentially at risk following the discovery of an extremely critical vulnerability in the Ruby on Rails framework that gives remote attackers the ability to execute malicious code on the underlying servers.

The bug is present in Rails versions spanning the past six years and in default configurations gives hackers a simple and reliable way to pilfer database contents, run system commands, and cause websites to crash, according to Ben Murphy, one of the developers who has confirmed the vulnerability. As of last week, the framework was used by more than 240,000 websites, including Github, Hulu, and Basecamp, underscoring the seriousness of the threat.

"It is quite bad," Murphy told Ars. "An attack can send a request to any Ruby on Rails sever and then execute arbitrary commands. Even though it's complex, it's reliable, so it will work 100 percent of the time."

Murphy said the bug leaves open the possibility of attacks that cause one site running rails to seek out and infect others, creating a worm that infects large swaths of the Internet. Developers with the Metasploit framework for hackers and penetration testers are in the process of creating a module that can scan the Internet for vulnerable sites and exploit the bug, said HD Moore, the CSO of Rapid7 and chief architect of Metasploit.

Maintainers of the Rails framework are urging users to update their systems as soon as possible to versions 3.2.11, 3.1.10, 3.0.19, or 2.3.15. Updating is relatively painless for many sites, although temporary slow-downs are sometimes possible. Those who can't update should follow workarounds, including disabling XML or disabling YAML and Symbol type conversion from the Rails XML parser. Rails maintainers have made code available that streamlines these measures.

The bug stems from the way Rails handles formatted parameters. The advisory is here, and additional technical details are available here and here.

38 Reader Comments

Updated all my apps painlessly as soon as the news hit this morning. The researchers who discovered this and the maintainers all did exactly the right thing with this, great job for them!

It's truly a remarkable development how we have things today like Rails, Django, ASP MVC et al that make these exploits a rare, big news event these days. It wasn't too long ago in the dark days of dynamic web applications where another huge PHP, Apache or classic ASP security critical update came out pretty much monthly, and they were hell and had breaking changes to apply to a running server.

Will this get stupid fucks like Jeff Atwood constantly picking on PHP?

But it's so much fun to pick on PHP.

Heh. Well I like PHP and JS. Pretty much the two most hated web languages. I know their shortcomings but appreciate their strengths.

PHP has strengths? Compared to what?

Now I'm confused - what have I been missing only knowing PHP?

If you want a nice explanation, read this. There are design trade-offs and compromises in any language, and keeping backwards compatibility is bound to end up causing at least a little bit of a mess. With that in mind, PHP is still a special kind of monster .

that php fractal post is full of bias and it got much more attention than it deserved

So can you identify what you see as inaccurate in the post? The author makes it pretty clear that he does indeed hold a bias, but I don't think he's dishonest or exaggerates the issues. Lots of the points apply to various other languages too, but that doesn't mean they aren't flaws which ideally would have been avoided, and definitely shouldn't have been repeated.

If you want a nice explanation, read this. There are design trade-offs and compromises in any language, and keeping backwards compatibility is bound to end up causing at least a little bit of a mess. With that in mind, PHP is still a special kind of monster .

That article exaggerated every tiny flaw in PHP to epic proportions. It got so much attention because it was so long and detailed. You could write the exact same way about any language if you're obsessed enough. None of it changes the fact that PHP remains extremely popular, productive and performs quite well - can't wait for the earlier poster to explain its performance problems compared to something comparable (C++ is not comparable).

Patching any public facing application - webapp, webserver, reverse proxy, C/S app - whatever is just part of life. I haven't checked, but if any of my RoR apps have been hacked, there are system backups. Easily load up a new VM, put the last pre-hacked version on, restore the data, patch to the new app version (migrate rocks) and all will be just fine until the next time.

At least the RoR guys * announced the issue* fixed the issue* announced the fix

Many other communities would not. Some other projects have shipped a release with a known, major, security bug instead of delaying the release and fixing it.

Like others have said, no language implementation or framework is without bugs. I can't see any ever being without bugs.

I say, "GREAT work Rails guys!"

---- That was easy. Verify that the backup worked last night and that nothing new happened since.$ gem update$ /etc/init.d/really-great-program restart$ rails --versionRails 3.2.11---- Good enough. Program is working fine.

'That article exaggerated every tiny flaw in PHP to epic proportions.' Pluck one out at random == is basically just broken. This isnt an exaggeration its just rubbish. The article does nitpick and go over minor issues as well but thats largely besides the point. Much of it, if not most is dedicated to really bad flaws.

'You could write the exact same way about any language if you're obsessed enough.'Nope. If your first statement was anywhere near true then yeah, if you nitpick you can write an essay of flaws on anything, but you are wrong. PHP is full of terrible design and some frankly shockingly bad decisions by its maintainers. (Just look up the debacle with an overflowing integer which they tried to fix by comparing it to INT_MAX. Just... unbelievable.)

'None of it changes the fact that PHP remains extremely popular, productive and performs quite well'Popularity is meaningless, its popular because its easy and you can hack crap together rapidly, the fact its a godforsaken mess only matters further down the line. Incidentally productivity becomes a gulag because of this where some poor sod (e.g. me) spend most of there time repairing the scrambled mess of code that came before. (The number of PHP developers who dont even know what a function is... and believe me the developers of PHP seem almost as confused as those devs given the random crap and slow implementation you see with PHP functions/"functions") Dont give me any crap about any language being capable of having the same issue because PHP is practically built to make a mess of everything, dozens of functions doing the same thing, no consistent syntax any of it, whole chunks of PHP that shouldnt even exist trying to fix problems that shouldnt occur.

This is all mentioned in the fractal of bad design article, they are not nitpicks, they are not minor, they are not common to all web languages.

If you want a nice explanation, read this. There are design trade-offs and compromises in any language, and keeping backwards compatibility is bound to end up causing at least a little bit of a mess. With that in mind, PHP is still a special kind of monster .

That article exaggerated every tiny flaw in PHP to epic proportions. It got so much attention because it was so long and detailed. You could write the exact same way about any language if you're obsessed enough. None of it changes the fact that PHP remains extremely popular, productive and performs quite well - can't wait for the earlier poster to explain its performance problems compared to something comparable (C++ is not comparable).

Well, the obvious "comparable" stack would be ASP. Which performs a hell of a lot better.

The chief problem with PHP is just that it's a very badly "designed" language, which is, you know, what that article points out. I suppose, if PHP is (almost) all you know, you won't notice all these shortcomings, but pleeeease, do not pretend that this means they don't exist. Please do not use your ignorance as an argument in favor of PHP. Please do not tell others to use PHP just because "I'm too ignorant to see its flaws, and the same might be true for you".

Yes, PHP is popular. So is McDonalds. Doesn't mean it's good for you.

If you can write "the exact same" about any other language, I welcome you to try. I couldn't, because no other language I know of (and I know quite a few) share PHP's "broken at every level, seemingly by design" characteristic. No other language makes it so easy to write bad code, and yet so hard to write good code.

C++ has its flaws, Ruby has its flaws, JavaScript has flaws, C# has flaws, Scheme has flaws, SML has flaws, but all of these languages, every language I've ever seen except for PHP, that is, also has redeeming qualities. Every one of them are basically sound ideas with a number of individual trouble spots.

PHP is all trouble spot. It's what you get when someone who doesn't know programming decides to make a programming language (funnily enough, that was *exactly* how it got started). When someone unqualified takes a bad idea and tries to build more bad ideas onto it.

Will this get stupid fucks like Jeff Atwood constantly picking on PHP?

But it's so much fun to pick on PHP.

Heh. Well I like PHP and JS. Pretty much the two most hated web languages. I know their shortcomings but appreciate their strengths.

PHP has strengths? Compared to what?

Now I'm confused - what have I been missing only knowing PHP?

The ability to smugly proclaim that your language of choice is soooo much better than languages X, Y, and Z.

That's not what these people are saying. They're not saying "my language is better than all the others", which is easy to dismiss as ignorant fanboy gloating, and simply implies that "I only know my language", but rather "all the others are better than your language", which implies that they actually *know* other languages and they *know* your language.

I would say "but feel free to keep punising yourself with PHP", except that would lead to more scary PHP code in the world. Instead, please feel free to educate yourself. No matter which language you use, and yes, you can keep using PHP and I can't stop you, learning is *always* good. Even if you're going to be a PHP programmer for the rest of your life, you will become a *better* PHP programmer by learning some other languages Lean Haskell, learn C++, learn Ruby or Scheme. Even if you maintain your belief that PHP is the best thing ever, learning these will still make you a better programmer.

And who knows, maybe learning something different will enable you to see *why* people who know other language hate and despise PHP so much.

'That article exaggerated every tiny flaw in PHP to epic proportions.' Pluck one out at random == is basically just broken. This isnt an exaggeration its just rubbish. The article does nitpick and go over minor issues as well but thats largely besides the point. Much of it, if not most is dedicated to really bad flaws.

'You could write the exact same way about any language if you're obsessed enough.'Nope. If your first statement was anywhere near true then yeah, if you nitpick you can write an essay of flaws on anything, but you are wrong. PHP is full of terrible design and some frankly shockingly bad decisions by its maintainers. (Just look up the debacle with an overflowing integer which they tried to fix by comparing it to INT_MAX. Just... unbelievable.)

'None of it changes the fact that PHP remains extremely popular, productive and performs quite well'Popularity is meaningless, its popular because its easy and you can hack crap together rapidly, the fact its a godforsaken mess only matters further down the line. Incidentally productivity becomes a gulag because of this where some poor sod (e.g. me) spend most of there time repairing the scrambled mess of code that came before. (The number of PHP developers who dont even know what a function is... and believe me the developers of PHP seem almost as confused as those devs given the random crap and slow implementation you see with PHP functions/"functions") Dont give me any crap about any language being capable of having the same issue because PHP is practically built to make a mess of everything, dozens of functions doing the same thing, no consistent syntax any of it, whole chunks of PHP that shouldnt even exist trying to fix problems that shouldnt occur.

This is all mentioned in the fractal of bad design article, they are not nitpicks, they are not minor, they are not common to all web languages.

Credentials: Professional PHP developer for going on ten years.

I'm 25% down that article and still waiting for some serious PHP monster to say BOO!. Yep, it takes a quarter of the article before the author states, and I quote, "Okay, back to facts" - that's a quarter of the article devoted to demonstrating just how biased they are. The next 25% appears to primarily be a run down of exactly what I said - over exaggerations of minor differences. PHP is obviously not Ruby or Python or Perl. It was created in the mid 90s to let someone add in C-like programming statements to HTML documents so it follows an entirely different approach, i.e. it inherits bits of C and kept it around for backwards compatibility.

That's all that article is about - PHP was not designed as a pure OOP language from Day 1 but as a toolbox for web programming. This has been known fact since forever. What the article is good at is detailing every minute difference, every compromise, and the requirement for broad backwards compatibility as being PHP's fault. Because it forgot to look 15 years into the future, I guess. All while being oblivious to how higher end constructs have steadily displaced low level tinkering. PHP 5 has a decent OOP model, libraries are a dime a dozen on Github, and PHP has more frameworks than you can shake a stick at. FFS, he complains about opcode caching like it's horrible and nightmarish despite being an obviously good thing for PHP that everyone with half a brain cell has used for years!

Only vs Ruby on Rails. ASP.NET and even old JSP are faster. I think it would be more accurate to say that Ruby on Rails has very poor performance than PHP has good performance.

Broadly, it's long been known that PHP, Ruby, Python and Perl are roughly similar in terms of speed with any number of leeways. Checkout the programming language shootout benchmarks - http://benchmarksgame.alioth.debian.org ... l&lang=all - according to that, PHP is a bit faster than Ruby/Python. When I say faster, I mean real world performance differences will be difficult to estimate. Those benchmarks are always swapping the Big 4 places. Less scientifically, I know from personal benchmarking that PHP's Symfony is roughly the same as Rails at simple application performance (factoring out databases, web connections, and other blocking resources).

Only vs Ruby on Rails. ASP.NET and even old JSP are faster. I think it would be more accurate to say that Ruby on Rails has very poor performance than PHP has good performance.

Broadly, it's long been known that PHP, Ruby, Python and Perl are roughly similar in terms of speed with any number of leeways. Checkout the programming language shootout benchmarks - http://benchmarksgame.alioth.debian.org ... l&lang=all - according to that, PHP is a bit faster than Ruby/Python. When I say faster, I mean real world performance differences will be difficult to estimate. Those benchmarks are always swapping the Big 4 places. Less scientifically, I know from personal benchmarking that PHP's Symfony is roughly the same as Rails at simple application performance (factoring out databases, web connections, and other blocking resources).

Symfony is/was the slowest PHP framework especially if you use it with Twig. Of course caching helps a ton and I haven't had any performance issues myself (Symfony is my PHP framework of choice). http://www.yiiframework.com/performance/

If you want a nice explanation, read this. There are design trade-offs and compromises in any language, and keeping backwards compatibility is bound to end up causing at least a little bit of a mess. With that in mind, PHP is still a special kind of monster .

If you want a nice explanation, read this. There are design trade-offs and compromises in any language, and keeping backwards compatibility is bound to end up causing at least a little bit of a mess. With that in mind, PHP is still a special kind of monster .

Thanks, that link was interesting, but what a whiner. I think PHP's awesomeness is its flexibility. If you want to program functionally, you can. If you want to get all OOPy, no problem. There's frameworks galore if you're into that kind of thing. You can even mix and match if appropriate. PHP gives you 10 different ways to write clear concise modular code. You can pick the tools that you like. Yes, that flexibility means there's plenty of ways to write buggy spaghetti. It's up to you as a programmer not to.

'The next 25% appears to primarily be a run down of exactly what I said'If you consider gross inconsistencies, broken basic operators, a clueless error handling system, slow functions, terrible scoping, function repetition, etc, etc. 'minor' or 'exaggerated' then I have to wonder if you actually know any other languages. (Incidentally he complains about opcode caching not because you shouldnt use it but because in most other platforms its not a problem in the first place.)

'Because it forgot to look 15 years into the future'Many of these issues have existed in PHP since it got the name 'PHP'. Most dont appear to be on the agenda for repair at all probably because, like you they dont consider it to be a big deal in the first place. Any language that has baggage problems still has problems. You cant just dismiss them because legacy code still works.

'libraries are a dime a dozen on Github, and PHP has more frameworks than you can shake a stick at'Yes you can avoid loads of PHPs crap by using frameworks and other tools, this doesnt justify the mess PHP is underneath and nothing can keep you out of that mess entirely.

Group of White-Hats develop a virus that:-Searches for vulnerable RoR servers-Hacks them and creates an elevated user-That user patches the server, or eliminates the vulnerability-Deletes created user, leaving a .txt for the change

That would be an interesting hack, but I imagine that upgrading someone else's server is problematic.

If you want a nice explanation, read this. There are design trade-offs and compromises in any language, and keeping backwards compatibility is bound to end up causing at least a little bit of a mess. With that in mind, PHP is still a special kind of monster .

That article exaggerated every tiny flaw in PHP to epic proportions. It got so much attention because it was so long and detailed. You could write the exact same way about any language if you're obsessed enough. None of it changes the fact that PHP remains extremely popular, productive and performs quite well - can't wait for the earlier poster to explain its performance problems compared to something comparable (C++ is not comparable).

Well, the obvious "comparable" stack would be ASP. Which performs a hell of a lot better.

The chief problem with PHP is just that it's a very badly "designed" language, which is, you know, what that article points out. I suppose, if PHP is (almost) all you know, you won't notice all these shortcomings, but pleeeease, do not pretend that this means they don't exist. Please do not use your ignorance as an argument in favor of PHP. Please do not tell others to use PHP just because "I'm too ignorant to see its flaws, and the same might be true for you".

Yes, PHP is popular. So is McDonalds. Doesn't mean it's good for you.

If you can write "the exact same" about any other language, I welcome you to try. I couldn't, because no other language I know of (and I know quite a few) share PHP's "broken at every level, seemingly by design" characteristic. No other language makes it so easy to write bad code, and yet so hard to write good code.

C++ has its flaws, Ruby has its flaws, JavaScript has flaws, C# has flaws, Scheme has flaws, SML has flaws, but all of these languages, every language I've ever seen except for PHP, that is, also has redeeming qualities. Every one of them are basically sound ideas with a number of individual trouble spots.

PHP is all trouble spot. It's what you get when someone who doesn't know programming decides to make a programming language (funnily enough, that was *exactly* how it got started). When someone unqualified takes a bad idea and tries to build more bad ideas onto it.

This response is perfect. It hits every important point very concisely and with far less cursing than I end up using So... yoink!

I believe Twitter uses Scala, RoR and Java (and possibly others!) for different pieces of the application. You have to look at all of the pieces that come into play in a complex environment because odds are a single component isn't responsible for the full performance, negative or positive.

Updated all my apps painlessly as soon as the news hit this morning. The researchers who discovered this and the maintainers all did exactly the right thing with this, great job for them!

It's truly a remarkable development how we have things today like Rails, Django, ASP MVC et al that make these exploits a rare, big news event these days. It wasn't too long ago in the dark days of dynamic web applications where another huge PHP, Apache or classic ASP security critical update came out pretty much monthly, and they were hell and had breaking changes to apply to a running server.

Rails had 35 vulnerabilities published in 2012, and 2 published in the first 11 days of 2013, not counting the one mentioned here (which hasn't had a CVE published, yet).

This is all mentioned in the fractal of bad design article, they are not nitpicks, they are not minor, they are not common to all web languages.

Credentials: Professional PHP developer for going on ten years.

(This response isn't directed at you; it's directed at the thread.)

I have used PHP on and off for years. I have the Zend certification. I can admit that PHP is messy and unfocused. That doesn't mean you can't write good programs in PHP, it just means you could probably write good programs faster in some other language.

I would never ridicule somebody for using it. We all have jobs to do, and in some cases hobbies, and what programming language somebody else uses is like what color they dye their hair. It doesn't affect you, so stop trying to get off by putting other people down. I find articles like this interesting for the security angle, but for some reason the comments section always descends into a flamewar about programming languages.

Show me something cool you made, and I will be impressed. I don't give a damn what language/framework/OS/text editor was used.